A program manager at a defense contractor asks a reasonable question: can the team use a commercial AI assistant to speed up proposal drafting, summarize technical documents, and answer policy questions? The tools are capable, widely used, and obviously useful. The instinct to adopt them is correct.
The problem is that much of the data those tasks touch is Controlled Unclassified Information, and sending CUI to a commercial AI service can violate three regulatory regimes at once: CMMC, NIST SP 800-171, and, for technical data, ITAR. The model never had to make a mistake. The violation happened the moment the data left the authorized boundary.
For government and defense work, the compliance question about AI is not about what the model outputs. It is about where your data goes to get processed. A commercial AI API moves controlled data outside the environment that has been assessed to hold it, and that movement is the violation, regardless of how good the answer is.
What counts as CUI, and why AI makes it urgent
Controlled Unclassified Information is government-created or government-owned information that requires safeguarding under law, regulation, or policy, but is not classified. In practice it covers a vast range of what defense contractors handle every day: technical drawings, specifications, proposal data, export-controlled technical information, and a great deal of program documentation.
AI makes the handling of CUI urgent because the most useful AI tasks are exactly the ones that ingest large amounts of internal documentation. Summarize this technical package. Answer questions across these specifications. Draft this section from these requirements. Each of those tasks, run through a commercial service, sends CUI outside the contractor's controlled environment. The more useful the task, the more controlled data it tends to touch.
The three frameworks that govern the answer
Three overlapping regimes determine whether a given AI deployment is lawful for government data. They are related but distinct, and a compliant deployment has to satisfy all three that apply.
| Framework | What it governs | What it requires for AI |
|---|---|---|
| CMMC 2.0 | Cybersecurity certification for defense contractors handling FCI and CUI | CUI systems generally need Level 2, mapped to NIST SP 800-171, verified by self or third-party assessment |
| NIST SP 800-171 | The control set for protecting CUI in nonfederal systems | Any system that processes, stores, or transmits CUI must meet these controls, including the AI service |
| FedRAMP Moderate | Authorization baseline for cloud services handling federal data | Required under DFARS 252.204-7012 for any cloud service that touches CUI |
| ITAR | Export control for defense-related technical data | Access limited to U.S. persons inside approved environments; data residency required |
The CMMC final rule took effect on November 10, 2025, phasing certification requirements into defense contracts. Contractors that cannot meet the required level become ineligible for award at both prime and subcontract tiers, and inaccurate compliance claims now carry False Claims Act exposure. The stakes for getting the AI question wrong are no longer theoretical.
Why a commercial AI API fails the test
Line the requirements up against how a standard commercial AI service works and the conflict is immediate. The service runs on infrastructure the contractor does not control and has not assessed against NIST SP 800-171. The data is processed outside the contractor's authorized boundary. The cloud environment behind the API is rarely authorized to the FedRAMP Moderate baseline required for CUI under DFARS. And the service makes no guarantee that only U.S. persons will have access to the data it receives.
Each of those is independently disqualifying for CUI. A vendor offering a business-grade agreement or a privacy promise does not change the analysis, because the requirement is not a contractual assurance about good behavior. It is an assessed, verifiable control environment that the data must stay inside. A promise is not an authorization boundary.
The compliance question is not "does the vendor promise to protect my data." It is "has this environment been assessed and authorized to hold CUI, and did my data stay inside it." For a commercial AI API, the answer to the second half is no, before anyone evaluates the model at all.
The FedRAMP and U.S.-persons trap
Two requirements catch teams that assume a paid or enterprise tier solves the problem. The first is FedRAMP. Under DFARS 252.204-7012, a cloud service that stores, processes, or transmits CUI has to meet the FedRAMP Moderate baseline. Most commercial AI services have not been authorized to that baseline, and an enterprise subscription does not confer it.
The second is the ITAR U.S.-persons rule. For export-controlled technical data, access must be limited to U.S. persons, and the data must remain in approved environments. This is why ITAR-regulated organizations rely on environments built for federal workloads, such as GovCloud or government community cloud, and specifically avoid commercial cloud, standard productivity suites, and consumer file sharing. A commercial AI API sits squarely in the category ITAR-regulated teams are required to avoid, and routing controlled technical data through it can constitute an unauthorized export.
What compliant AI looks like for government work
The path to compliant AI for CUI and ITAR is the same path that solves the underlying deployment-model problem: keep the data and the model inside an environment that already meets the controls. When the AI runs on-premises or inside an authorized government cloud, under the contractor's own NIST SP 800-171 controls, access management, and audit logging, the controlled data never crosses a boundary that has not been assessed to hold it.
That single architectural choice resolves all four requirements together. The data stays inside the CMMC Level 2 boundary. The processing happens within the NIST SP 800-171 control set the contractor maintains. There is no unauthorized cloud service to FedRAMP, because the model runs in the environment that is already authorized. And U.S.-persons access control is enforced by the contractor's own identity systems rather than outsourced to a vendor's promise.
For CUI and ITAR data, the deployment model is the compliance decision. AI that runs inside your authorized environment can be made compliant. AI that sends your controlled data to a commercial service generally cannot be, no matter how capable the model or how reassuring the contract. Choose the architecture first, then choose the model.
The capability gap between on-premises and commercial AI has narrowed to the point where it is no longer the deciding factor. The same families of models can run inside an authorized environment. For defense contractors and public-sector agencies, that means the realistic choice is not between compliant-but-weak and capable-but-noncompliant AI. It is between AI that respects your authorization boundary and AI that quietly violates it.
Sources: U.S. Department of Defense CMMC final rule amending the DFARS, effective November 10, 2025, establishing the three-level Cybersecurity Maturity Model Certification framework and tying CUI systems to NIST SP 800-171 (CMMC Level 2). DFARS 252.204-7012, requiring FedRAMP Moderate baseline for cloud services that store, process, or transmit CUI. NIST Special Publication 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. International Traffic in Arms Regulations (ITAR), restricting access to controlled technical data to U.S. persons within approved environments. This article is informational and not legal advice; contractors should confirm requirements against their specific contracts and assessors.
Bring AI Inside Your Authorization Boundary
Cognetryx runs capable AI on-premises or inside your authorized environment, under your own NIST SP 800-171 controls, access management, and audit logging. Your CUI and technical data never leave the boundary assessed to hold it.
Book a Free AI Strategy Assessment →